Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-15 23:27 EST
Nmap scan report for 10.10.10.117
Host is up (0.028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 43635/udp status
| 100024 1 43892/tcp6 status
| 100024 1 50932/tcp status
|_ 100024 1 54829/udp6 status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
50932/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.10 seconds
We do find the hostname irked.htb we can add this to our hosts file
HTTP Port 80
When we navigate to the web server we can see the following
we can confirm this is a Debian based server
and the Apache version matches that of the Nmap scan: Apache 2.4.10
Let's get feroxbuster running and see if we can find any interesting directories
we do find
Doesnt lead anywhere interesting but would be classed as information disclosure
Since this mentions IRC not a bad place to start enumerating
What is IRC protocol?
Internet Relay Chat is a text-based chat system for instant messaging between internet-connected computers, designed for group communication in forums, and one-on-one communication via private messages
IRC generally runs on the following ports 6667, 6697
We can see from our nmap scans it is running a service called UnrealIRCd
UnrealIRCd is an open-source IRC daemon that utilises the following ports
6697
8067
65534
We can enumerate this daemon
Lets check for the service version using netcat
No luck
After abit of reading we can connect to the service using a random nick name so lets try
we can see the version number Unreal3.2.8.1
After abit of googling we can be certain this version is vulnerable to RCE due to a backdoor in the software
Now lets exploit this and gain a shell on the system
we need to make some slight modifications to the script
add our local ip and port for the shell to connect back to
Now we should be able to run the script
we know have a shell on the target
Priv Esc via ircd
First lets upgrade our shell
Lets find the version of debian
Lets find the kernel version
Lets check for any other users on the system
looks like there is one other user on the system
djmardov
Lets find what groups we are in and the user djmardov
Results
Lets see if we can find any interesting files within the system
SUID files
Lets search for files with keywords and certain extensions
we do find something interesting
When we read the file we can see a password
djmardov: UPupDOWNdownLRlrBAbaSSss
We saw ssh is available on the machine
we get a Permission denied might only be acssesible by ssh keys
Lets see if we can just su into the user
No luck again
hmmmm
It took me a minute to notice the sentence super elite steg backup pw so stegenography, weird how the main page of the website only had an image could this be where our password is located
Let's download the image from the main web page
Now lets run steghide with our newly found password
there was a pass.txt file located in the image
We know have the password Kab6h+m+bbp2J:HG Lets see if we can ssh into the machine now
it worked!
Priv Esc via djmardov
Now that we have a ssh session let's start enumerating
when we previously tried to find SUID bits there was one file that looked interesting
Why does this program have the SUID bit set
when we run it
it fails because there is no file named /tmp/listusers can we just create one and gain a root shell
Now if we run the viewuser programs we should get a root shell
netcat 10.10.10.117 6697
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
PASS shrek123
NICK shrek123
USER shrek123 atshrek Security :shrek123
ircd@irked:/$ groups ircd
groups ircd
ircd : ircd
ircd@irked:/$ groups djmardov
groups djmardov
djmardov : djmardov cdrom floppy audio dip video plugdev netdev lpadmin scanner bluetooth
find / -type f -perm /4000 2>/dev/null
find / -type f -name "*.txt" 2>/dev/null
find / -type f -name "*pass*" 2>/dev/null
find / -type f -name "*backup*" 2>/dev/null
ssh djmardov@10.10.10.117
su djmardov
su djmardov
Password: UPupDOWNdownLRlrBAbaSSss
steghide extract -sf irked.jpg
ssh djmardov@10.10.10.117
find / -type f -perm /4000 2>/dev/null
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2023-12-15 21:13 (:0)
djmardov pts/1 2023-12-16 01:20 (10.10.14.7)
sh: 1: /tmp/listusers: not found
